The National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations defines access authorization as "Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals." The Medical Center controls access to Information Systems through authorization, management and training.


To ensure access to Information Systems containing EPHI is controlled and managed by System Owners and Supervisors/Managers.


This standard applies to Medical Center customers, Owners of Information Systems and Managers/Supervisors.



All new users of electronic data access must sign the Electronic Access Agreement form before being granted access to Medical Center electronic files and applications.

Access to institutional information systems shall be strictly controlled through the use of user identification and authentication (sign-on). This includes password protections identified in the Person Entity Authentication Procedure.

Access to institutional information systems managed by Health Information and Technology (HIT) will be strictly controlled through the Online Access Request (OAR) Application. Access to Information systems such as Epic, Invision, PeopleSoft, etc. must be requested via the OAR Application before access is granted.

Access to institutional information systems and their data will be limited to individuals who have a need-to-know for their work or training.

Access shall be restricted, to the degree practical, to the update and/or retrieval capability required for the job role of the person being granted access.

Per Health System Policy IT-002: Use of Electronic Information and Systems, all non-UVa employees requesting access to Electronic Protected Health Information (EPHI), either via VPN or EMR, must have prior approval by Health Information Services (in collaboration with Information Security and the Compliance and Privacy Office.)

Administrators of departments and affiliates that manage other institutional clinical Information Systems that contain components of the medical record (“departmental systems”) are responsible for access control based on need to know to do one’s job, for termination procedures, and for security measures. Grants of access to departmental systems should follow the minimum necessary standards referenced in Health System Policy IT-002: Use of Electronic Information and Systems.

Security controls or methods that allow access to Information Systems containing EPHI must include unique user identifiers (user IDs) that enable individuals to be uniquely identified. User IDs must not give any indication of the user’s privilege level. In certain instances an individual may be assigned multiple user IDs which will be configured to reflect the primary user ID plus a numbers/letters as a suffix.


An employee’s access to all information systems shall be reviewed on an annual basis by the employee’s manager/superviosr. This review will insure that all accesses are still appropriate for the employee’s job role. Any changes will be relayed to the appropriate systems security administrators. ( See Supervisor Review Form)


System Owners have the ability to perform reviews on all employees who have access to the information system in which they approve access to. System Owners may request access be removed at any given time if it's determined the access an employee has is no longer appropriate due to job changes or training requirements not being met.

System Owner Review: https://www.healthsystem.virginia.edu/auth/login.cfm?referringurl=/alive/computing/forms/Security/OAR2/AccessRequest.cfm

See Medical Center Policy No. 218: Definition, Characteristics, Authentication and Maintenance of the Medical Record and Designated Record Set for a list of applications containing a portion of the institutional Designated Record Set.

Training Requirements

The Information System owner will designate training requirements for applications. This determination will be made based on the functional complexity of the specific system. Access to the information system will not be granted until all training requirements have been met.

Document Supporting Resources